Share this Page

Stepping Into the Breach

Data breaches are going to happen, regardless of what an institution does. How effectively a school responds may be a more telling indicator of its preparedness.

By Sue Marquette Poremba

10/25/11

If you think your institution is immune to a security breach, perhaps you should have a chat with Brian Rust at the University of Wisconsin-Madison. When asked about data breaches on his campus, the communications director in the Office of the Chief Information Officer answers with the hint of a sigh: "Let me tell you about the most recent one."

This particular breach involved the Wiscard, a student ID that doubles as a debit card. "There were records kept on a server that wasn't as secure as it should have been," Rust explains. But he's quick to point out UW-Madison is no more or less vulnerable than any other university. In fact, he believes that almost every school has suffered a breach or an exposure at some point.

It's a view shared by Matt Morton, director of information services at Buena Vista University (IA), which suffered a security breach in 2010 (the case is currently working its way through the court system). Morton feels that breaches are not only inevitable but will occur more than once.

Obviously, schools should do whatever they can to secure their networks, but Rust and Morton have learned that institutions must also have a plan in place to deal with the aftermath of a breach. Critical components of a plan include alerting potential victims that their information may have been compromised, explaining the situation to the public, and internal steps for identifying and analyzing the damage and re-establishing a secure system.

The first step, though, is to come clean. The knee-jerk reaction for many administrators is to keep news of the breach quiet. That's a mistake. "If you let the media control the message, it is going to be a painful experience," says Jeremiah Grossman, chief technology officer with WhiteHat Security. "It has to be all about honesty and transparency to make sure there remains a level of trust in the institution."

One strategy is to give the communications departments a prepared script about the breach. "Have a three-sentence statement that allows people to summarize what happened," says Cathy Hubbs, chief information security officer at American University (DC). This can keep reporters at bay and let the investigators do their job.

Preserving the Crime Scene
In the aftermath of a breach, one of the biggest mistakes that organizations make is trying to quickly shut down any malicious activity. "This can be disastrous," says Geoff Webb, director of Credant Technologies, a security company. "While the natural response of senior management may be to shut everything down, you must resist this pressure. If this is an accidental breach, then you will need to understand what happened and how. If this is a malicious breach, then it is imperative that the systems involved remain active--any attempt to cut off the attackers will only alert them and may destroy any evidence on the breached systems. If it does appear to be a malicious breach, you should call in a forensic team and law enforcement before you change anything."

It's important to conduct the forensics as rapidly as possible, because the clock is ticking. "As soon as we discover the significance of an exposure or breach, we have 45 days to notify the people whose sensitive information may have been exposed," says Rust, referring to a time limit imposed by Wisconsin law.

Notification is not an easy task. Records may not have up-to-date physical or e-mail addresses; some of the people may even be dead. "You may need to turn to outside vendors to help find those who may have compromised records," notes Rust.

UW-Madison, for example, contracted an outside firm and set up a phone bank. The people answering the phones were given a very tight script that answered basic questions. If callers had more in-depth questions, their calls were elevated to someone within the university system.

Having a website dedicated to the problem is also valuable. The website should include basic information about what happened, what the school might be offering (like free credit monitoring for a prescribed amount of time), and an FAQ that is regularly updated with any new questions that come in. The help center should also include the website address as part of any recorded phone message.

Calling in the Cavalry
Outside security vendors can be a lifesaver. When Morton discovered that Buena Vista had been victimized last year, he quickly realized he needed outside help. "In these situations, there is more work than there are people to do it," explains Morton. "Even more so in a college environment."

Because it's their business, outside vendors have learned what it takes to clean up and move on after a breach. In addition, they often understand the complex regulatory issues and how they affect the notification process.

"A third-party service can help colleges through the compliance issues," notes Rick Shaw, president and CEO of Awareity, which provides post-breach services to schools. "We can also help by sending out letters or setting up call centers."

While outside vendors can carry a lot of the water, universities shouldn't see them as a replacement for a solid recovery plan. And no matter how good that plan might be, it will be useless if it ends up gathering dust on a shelf.

For Hubbs at AU, it's vital to practice in anticipation of the inevitable. "We have to be able to work together to get through the process," she explains. "We stage events and do dry runs so, if the real moment comes, we aren't running around as if our hair is on fire."

In Hubbs' opinion, the response team should include different segments of the campus population, including legal, the executive administration, communications, and IT security. This group should meet periodically to review the response plan, as well as keep abreast of new compliance and regulation issues.

It may also be worth identifying who is responsible for what from a security standpoint, because you don't want the recovery process degenerating into a spat about who's to blame and who should foot the bill. In the UW-Madison breach, for example, there was some question about who was going to pay for the remediation, which certainly wasn't cheap. In the end, the provost allowed the security team to bill the department that had been breached. "It may be a lesson to be more aware of security issues," says Rust.

Ultimately, there is a window of opportunity to respond to a breach. It just happens that that this window comes before the breach ever occurs. Drawing up a clear incident-response plan with well-defined responsibilities can save your organization millions of dollars in costs and a lot of embarrassing publicity.

The Full Monty?In data security parlance, there is a subtle--but important--difference between a breach and an exposure. An exposure is an incident where someone obtained access to your data but you aren't sure if anyone actually looked at it. In a breach, you know someone looked at it.